Cisco Talos warns of new Cryptolocker ransomware campaigns

A number of reports are warning businesses and consumers alike that a new round of ransomware based on the infamous Cryptolocker (aka TorrentLocker or Teerac) code is making the rounds.

Today Cisco Talos wrote: “Crypt0l0cker has gone through a long evolution, the adversaries are updating and improving the malware on a regular basis. Several indicators inside the samples we have analyzed point to a new major version of the malware. We have already seen large campaigns targeting Europe and other parts of the world in 2014 and 2015. It seems to be that the actors behind these campaigns are back now and launching again massive spam attacks.”

Cryptolocker is a highly sophisticated ransomware that used cryptographic key pairs to encrypt the computer files of its victims and demanded ransom for the encryption key. It took a big hit in 2014 as the FBI announced, in conjunction with the Gameover Zeus botnet disruption, that U.S. and foreign law enforcement officials had seized Cryptolocker command and control servers. But it was only a matter of time that such a “successful” ransomware tool resurfaced experts say.

A Nullsoft Installer based executable was used in an attempt to compromise the victim hosts. The adversaries were using the Nullsoft Installer to execute a malicious DLL which starts the unpacking process of the ransomware payload.

In other ransomware campaigns we have often seen that only the payment process was protected by Tor, not the whole infection chain. Crypt0l0cker appears to be using the Tor servers as fallbacks, if the SSL servers are not reachable. More and more malware is leveraging Tor to hide their tracks. Obviously, this makes it harder to detect these campaigns in the network traffic (Tor traffic aside). It also takes more time to identify the malware infrastructure to finally take them down.

As usual, after the infection process is done, the ransomware encrypts all user files and displays the well-known user messages. The malware also comes with full localization. The payload displays the messages in different languages depending on the victim’s geographic location based on his or her IP address

In addition to encrypting files on the local drive, Crypt0l0cker is also scanning connected external drives e.g. USB drives and shared network resources for files to encrypt.

Crypt0l0cker is using a list of file extensions. Files with these extensions are excluded from the file encryption process. It is interesting to see that the authors also exclude some image and text formats, perhaps to prevent the malware from encrypting its own files including the ransom messages and log files.

Talos wrote: “Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors. [Cisco’s] CWS orWSA web scanning prevents access to malicious websites and detects malware used in these attacks. Email Security can block malicious emails sent by threat actors as part of their campaign. The Network Security protection ofIPS andNGFW have up-to-date signatures to detect malicious network activity by threat actors. AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products. [Cisco’s] Umbrella prevents DNS resolution of the domains associated with malicious activity.”

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.